Spanish authorities have arrested four individuals allegedly linked to a hacktivist group known as Anonymous Fénix, accused of orchestrating distributed denial-of-service (DDoS) attacks against government ministries, political parties, and public institutions in Spain and several South American countries. The arrests mark the culmination of a two-year investigation into the group’s activities, which intensified following the devastating floods that impacted Valencia in late 2024.
The group, which presented itself as affiliated with the broader Anonymous collective, leveraged DDoS attacks – a relatively simple but disruptive technique involving overwhelming targeted servers with traffic – to disrupt online services and express discontent with the Spanish government’s handling of the 2024 floods. More than 230 people died as a result of the intense floods, with Valencia being particularly hard hit, according to reports.
The Spanish Civil Guard initiated the operation in April 2023, but activity escalated significantly in September 2024, with Anonymous Fénix actively recruiting volunteers via platforms like X (formerly Twitter) and Telegram to participate in their cyberattacks. According to the Civil Guard, the group justified their actions by claiming the government was “responsible for the tragedy” of the floods, a sentiment echoed by many Spaniards at the time.
The first arrests, targeting the group’s administrator and moderator, occurred in May 2025 in Alcalá de Henares, near Madrid, and Oviedo, in Asturias. Further investigation, building on evidence gathered from those initial detentions, led to the recent arrests of two additional key operatives in Ibiza and Móstoles, both near Madrid, earlier this month.
DDoS Attacks and Recruitment Tactics
DDoS attacks, although not resulting in data breaches, can effectively accept websites offline, disrupting essential public services and causing significant operational headaches. Anonymous Fénix targeted a range of entities, including websites of Spanish government ministries, political party infrastructure, and public administration portals. The group’s recruitment efforts, as detailed by the Civil Guard, focused on attracting individuals willing to contribute to these attacks.
“From September 2024 they increased their activity and initiated a campaign of recruitment of volunteers with the aim of perpetrating cyberattacks against relevant domains,” the Spanish Civil Guard stated. “They reached their peak after the DANA of Valencia when they managed to successfully attack different websites of the Public Administration, justifying that they were ‘the responsible for the tragedy.'”
Broader Crackdown on Cybercrime in Spain
The takedown of Anonymous Fénix is part of a broader effort by Spanish authorities to combat cybercrime. In recent months, a 19-year-old suspect was detained in Barcelona for allegedly breaching nine companies, and the “GXC Team” crime-as-a-service (CaaS) platform, which distributed AI-powered phishing kits, Android malware, and voice-scam tools, was dismantled. Assist Net Security reports these actions demonstrate a heightened focus on digital security.
in January, the Spanish National Police arrested 34 individuals linked to a criminal network involved in cyber fraud, believed to have connections to the Black Axe crime ring, according to The Register.
Following the arrests of the Anonymous Fénix members, Spanish courts ordered the seizure of the group’s accounts on X and YouTube, and its Telegram channel was closed. As of February 24, 2026, details regarding specific charges and potential penalties have not been publicly released by the Civil Guard.
What’s Next for Cybersecurity in Spain?
The dismantling of Anonymous Fénix represents a significant win for Spanish law enforcement, but the threat of hacktivist activity and cybercrime remains. Authorities will likely continue to prioritize the disruption of these groups and the prosecution of individuals involved in malicious cyber activities. The increasing sophistication of cyberattacks, including the use of AI-powered tools as seen with the GXC Team platform, will necessitate ongoing investment in cybersecurity infrastructure and expertise. The focus will likely remain on protecting critical infrastructure and ensuring the availability of essential online services.
What are your thoughts on the increasing prevalence of hacktivist groups? Share your opinions in the comments below.
